On Thu, 2011-09-08 at 08:59:50 +0200, Raphael Hertzog wrote: > New patches attached.
> >From 8ea91d6285f490d583f85e1b1621a67ccb33e64a Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <[email protected]> > Date: Wed, 27 Jul 2011 22:10:49 +0200 > Subject: [PATCH 2/3] dpkg-buildflags: emit hardening build flags by default > > + # Decide what's enabled > + my %use_feature = ( > + "pie" => 0, > + "stackprotector" => 1, > + "fortify" => 1, > + "format" => 1, > + "relro" => 1, > + "bindnow" => 1 > + ); Any reason you seem to have ignored the concerns I rised about defaulting to bindnow? In any case I don't think enabling this w/o further data demonstrating it's fine to do so is acceptable, as fixing any such regression would imply needing to hunt down packages built with the new flags and trigger binNMUs for them all. The default for it can always be changed later on, I don't see the need to rush it? regards, guillem -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
